In-vehicle apparatus for efficient reprogramming and controlling method thereof

ABSTRACT

A reprogramming method of a vehicle includes authenticating a diagnostor; receiving integrated firmware comprising a plurality of firmwares that correspond to a plurality of target controllers, respectively, from the diagnostor that is completely authenticated; authenticating the integrated firmware; encrypting and storing the plurality of firmwares included in the integrated firmware; and generating encryption keys that corresponds the plurality of target controllers, respectively apparatus. The encrypting and storing comprises encrypting and storing the plurality of firmwares to the encryption keys that correspond to the plurality of firmwares, respectively.

CROSS-REFERENCES) TO RELATED APPLICATIONS

This application claims the benefit of priority to Korean PatentApplication No. 10-2017-0096914, filed on Jul. 31, 2017, which is herebyincorporated by reference as if fully set forth herein.

TECHNICAL FIELD

The present disclosure relates to reprogramming of a controller for avehicle, and more particularly, to a gateway for efficient reprogrammingfor a plurality of controllers and a controlling method thereof.

BACKGROUND

Recent vehicles are configured in such a way that most nodes of avehicle network includes an electronic control unit (ECU) for control ofelectronic components and chassis components, such as body controlmodule/electronic time & alarm control system (BCM/ETACS), an anti-lockbrake system (ABS) ECU, an engine ECU, and an air bag ECU. These ECUsare provided with a vehicle diagnosis service for safe and economicalvehicle driving to prevent a car trouble thereby and provided withvarious vehicle information items such as vehicle driving recordmanagement and statistical information. In addition, the ECUs are alsoprovided with software upgrade, i.e., reprogramming as necessary, forexample, to change specifications and upgrade a functions, which will bedescribed with reference to FIG. 1.

FIG. 1 is a diagram illustrating an example of a reprogramming procedurein a general vehicle.

Referring to FIG. 1, latest firmware 110 is transmitted to a targetcontroller as an upgrade target among controllers 150 in the vehiclethrough a diagnostor 120, a diagnostor connector 130 of the vehicle, anda central gateway (CGW) 140. The target controller verifies a diagnostorthrough a predetermined procedure, authenticates firmware, and performsupgrade by using firmware 160 that is completely authenticated. Here,the diagnostor connector 130 of the vehicle is connected to an on-boarddiagnostics (OBD) 2 node of the vehicle.

In this procedure, a security solution such as a firmware signing tool(FST) and a standard reprogramming tool (SRT) is used for firmwaresecurity of a controller. The FST is a tool for authentication offirmware of a controller to obtain approval of a vehicle manufacturerthrough a predetermined procedure. Without approval of the vehiclemanufacturer, firmware is not capable of being authenticated, and thus,fabricated firmware is prevented from being injected into thecontroller. The SRT is a tool for approval for access to a correspondingcontroller to allow only an owner of authentication certificate and anencryption key to be authorized with reprogramming, for firmwarereprogramming.

However, due to increase in the number of vehicle controllers andtechnology elaboration, controllers are highly associated, and thus, aplurality of controllers need to be updated with respect to a commontechnology/function. For example, a function of a smart cruise control(SCC) is associated with a plurality of controllers such as an enginecontroller, a brake controller, and a sensor controller. However,firmware of a general controller is upgraded by reprogramming firmwareaccording to one to one correspondence of a diagnostor and a controller.This procedure will be described with reference to FIG. 2.

FIGS. 2A to 2C are diagrams for explanation of an example of areprogramming procedure between a diagnostor and a controller in ageneral vehicle.

Referring to FIG. 2A, firmwares for three respective controllers areprepared. Here, authentication information that is separately calculatedfor firmware for each controller is accompanied. That is, when threefirmwares are present, the number of authentication information is also3.

When controllers are simultaneously updated using the firmwares, areprogramming request is transmitted to any one of controllerscorresponding to the firmwares prepared by a diagnostor, as shown inFIG. 2B (S210). Accordingly, a corresponding controller transmits a seedvalue to the diagnostor (S220). The diagnostor may calculate a key valuevia a predetermined method (bit calculation, encryption, etc.) using theseed value and return the key value to the controller (S230). Thecontroller calculates a key value via a predetermined method using theseed value transmitted to the diagnostor, and then, compares thecalculated key value with the key value received from the diagnostor toauthenticate the diagnostor (S240). Upon completing verification of thediagnostor, the controller transmits a verification message to thediagnostor (S250) and the diagnostor transmits firmware andauthentication information (S260). The controller authenticates firmwareby determining whether authentication information calculated through thereceived firmware and the received authentication information areidentical to each other (S270).

The procedure described with reference to FIG. 2B needs to be performedby each controller. For example, assuming that N controllers and Nfirmwares are present as shown in FIG. 2C, each firmware needs toacquire a signature from a security manager, to separately transmit thesignature to a controller in a vehicle through a firmware injectiondevice (diagnostor), and to be authenticated by each controller. Lastly,when operations S210 to S270 of FIG. 2B are repeatedly performed on allof firmwares 1 to N with respect to different controllers, N firmwaresare completely updated.

Due to this problem, in particular, when a plurality of firmwaresassociated with one function are updated, even if the same diagnostor isused, the aforementioned reprogramming procedure needs to be repeatedlyperformed for each firmware to update each firmware, and thus, there isa problem in that efficiency is degraded, that firmware installed in acontroller is not re-authenticated after reprogramming, and thatfirmware is capable of being re-installed by re-connecting thediagnostor when a problem occurs.

SUMMARY

An object of the present disclosure is to provide an apparatus forefficient reprogramming and a controlling method thereof.

In particular, an object of the present disclosure is to provide anapparatus for efficient reprogramming for a plurality of controllers anda controlling method thereof.

Additional advantages, objects, and features of the invention will beset forth in part in the description which follows and in part willbecome apparent to those having ordinary skill in the art uponexamination of the following or may be learned from practice of theinvention. The objectives and other advantages of the invention may berealized and attained by the structure particularly pointed out in thewritten description and claims hereof as well as the appended drawings.

To achieve these objects and other advantages and in accordance with thepurpose of the invention, as embodied and broadly described herein, areprogramming method of a vehicle includes authenticating a diagnostorby a gateway, receiving integrated firmware including a plurality offirmwares that correspond to a plurality of target controllers,respectively, from the diagnostor that is completely authenticated, by afirmware integrated management apparatus, authenticating the integratedfirmware by the firmware integrated management apparatus, encrypting andstoring the plurality of firmwares included in the integrated firmwareby the firmware integrated management apparatus, and generatingencryption keys that corresponds the plurality of target controllers,respectively, by the firmware integrated management apparatus, whereinthe encrypting and storing includes encrypting and storing the pluralityof firmwares to the encryption keys that correspond to the plurality offirmwares, respectively.

In another aspect of the present disclosure, a vehicle includes aplurality of controllers, a gateway configured to authenticate adiagnostor, and a firmware integrated management apparatus configuredto, upon receiving integrated firmware including a plurality offirmwares that correspond to a plurality of target controllers,respectively, among the plurality of controllers, from the diagnostorthat is completely authenticated, authenticate the integrated firmware,and encrypt and store the plurality of firmwares included in theintegrated firmware, wherein the firmware integrated managementapparatus generates encryption keys that corresponds the plurality oftarget controllers, respectively and encrypts and stores the pluralityof firmwares to the encryption keys that correspond to the plurality offirmwares, respectively.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are included to provide a furtherunderstanding of the invention and are incorporated in and constitute apart of this application, illustrate embodiment(s) of the invention andtogether with the description serve to explain the principle of theinvention. In the drawings:

FIG. 1 is a diagram illustrating an example of a reprogramming procedurein a general vehicle;

FIGS. 2A to 2C are diagrams for explanation of an example of areprogramming procedure between a diagnostor and a controller in ageneral vehicle;

FIG. 3 is a diagram for explanation of a concept of an update procedureusing integrated firmware and firmware integrated management apparatusaccording to an embodiment of the present disclosure;

FIG. 4 is a block diagram illustrating a structure of a firmware updatesystem according to an embodiment of the present disclosure;

FIG. 5 is a diagram illustrating an example of format of a firmwareupdate message according to an embodiment of the present disclosure;

FIG. 6 is a flowchart illustrating an example of integrated firmware anda firmware update procedure through a firmware integrated managementapparatus according to an embodiment of the present disclosure; and

FIG. 7 is a flowchart showing an example of a procedure in which afirmware integrated management apparatus checks and restores firmwareinstalled in a separate controller according to an embodiment of thepresent disclosure.

DETAILED DESCRIPTION

Exemplary embodiments of the present disclosure are described in detailso as for those of ordinary skill in the art to easily implement withreference to the accompanying drawings. However, the present disclosuremay be implemented in various different forms and is not limited tothese embodiments. To clearly describe the present disclosure, a partwithout concerning to the description is omitted in the drawings, andlike reference numerals in the specification denote like elements.

Throughout this specification, unless explicitly described to thecontrary, the word “comprise” and variations such as “comprises” or“comprising”, will be understood to imply the inclusion of statedelements but not the exclusion of any other elements. In addition, thesame reference numbers will be used throughout the drawings to refer tothe same or like parts.

According to an embodiment of the present disclosure, integratedfirmware including a plurality of firmwares is transmitted to a vehicleand the vehicle includes a separate object (hereinafter, referred to asa “firmware integrated management apparatus”) for authenticating andmanaging integrated firmware.

To this end, according to an embodiment of the present disclosure, oneinformation item is used for entire integrated firmware instead ofauthentication information items corresponding to respective firmwaresincluded in the integrated firmware. In addition, according to anembodiment of the present disclosure, authentication for a diagnostor isperformed by a gateway and authentication for an integrated firmware andmanagement of a plurality of firmwares included in the integratedfirmware are performed by a firmware integrated management apparatus.Here, management of firmware may include a backup function, a firmwaredelivery function for a separate controller, an integrity managementfunction for firmware that is completely reprogrammed, and a restorationfunction of a controller when firmware integrity is damaged.

First, a firmware update concept according to an embodiment of thepresent disclosure will be described with reference to FIG. 3.

FIG. 3 is a diagram for explanation of a concept of an update procedureusing integrated firmware and firmware integrated management apparatusaccording to an embodiment of the present disclosure.

Referring to FIG. 3, when a plurality of firmwares are prepared in afirmware developing operation, a plurality of firmwares may be combinedto one integrated firmware. For example, firmware 1, firmware 2, andfirmware 3 may be included with integrated firmware A. A reference offirmware included in one integrated firmware may be a controllerinvolved in a function (e.g., smart cruise control, front crashprevention, lane departure warning, etc.) implemented in the vehicle oran update data and may be exemplary, and thus, the present disclosuremay not be limited to a reference of firmware included in one integratedfirmware.

In a next security manager operation, authentication may be performed inunits of one integrated firmware including separate firmwares insteadauthentication of separate firmware. Accordingly, the integratedfirmware may include signature information.

The integrated firmware including the signature information may betransmitted to a vehicle via diagnosis communication and a firmwareintegrated management apparatus of the vehicle may authenticate andbackup the transmitted integrated firmware. Here, the authentication maybe performed in units of integrated firmwares by using the signatureinformation included in the integrated firmware. The firmware integratedmanagement apparatus may divide the integrated firmware into separatefirmwares and then encrypt and store the separate firmwares during thebackup, and in this case, may generate an encryption key correspondingto each controller and use the encryption key to encrypt firmware.

Upon completing authentication and backup, the firmware integratedmanagement apparatus may transmit the encryption key and firmwarecorresponding to a separate controller to the corresponding separatecontroller and the separate controller may perform reprogramming on thereceived firmware and transmit the result to the firmware integratedmanagement apparatus. In this case, the firmware integrated managementapparatus may transmit encrypted firmware data to the separatecontroller or may decrypt the encrypted firmware before beingtransmitted and transmit the firmware to the separate controller in theform of plain text. When the encrypted firmware data is transmitted, thecorresponding controller may decrypt the encrypted firmware data byusing the acquired encryption key with the firmware data.

When the aforementioned method is used, the number of signatures and anumber of times of authentication may be reduced by integrating aplurality of firmwares instead of performing signature andauthentication in units of separate firmwares, thereby simplifying anupdate operation and a signature and authentication load to the separatecontroller may be moved to the integrated management apparatus to reduceburden to the controller.

Hereinafter, a structure of a firmware update system according to anembodiment of the present disclosure will be described with reference toFIG. 4.

FIG. 4 is a block diagram illustrating a structure of a firmware updatesystem according to an embodiment of the present disclosure.

Referring to FIG. 4, the firmware update system may be divided into avehicle part and a non-vehicle part. In FIG. 4, a diagnostor 230 maycorrespond to the non-vehicle part and the remaining components maycorrespond to the vehicle part.

In more detail, the diagnostor 230 may be connected to a central gateway(CGW) of a vehicle via diagnosis communication (e.g., OBD-2) and the CGW240 may be connected to a firmware integrated management apparatus 210and separate controllers 251, 252, and 253 through a data path (e.g.,CAN BUS).

The diagnostor 230 may have a function of injecting new integratedfirmware to the vehicle and access the firmware integrated managementapparatus 210 after being authenticated by the CGW 240.

The CGW 240 may be a gateway for access to a vehicle network from theoutside of the vehicle and may authenticate the diagnostor 230.

The firmware integrated management apparatus 210 may encrypt and storefirmwares 211 of the respective controllers. The firmware integratedmanagement apparatus 210 may include encryption keys 215 for therespective controllers for ensuring data integrity and confidentialityor a security module 213 for separately storing authentication data. Tothis end, the firmware integrated management apparatus 210 may include amemory and a region for storing the firmwares 211 of the respectivecontrollers and a region allocated to the security module 213 may belogically or physically separated from each other. The firmwareintegrated management apparatus 210 may include processing modulescorresponding to respective functions such as authentication,encryption, and backup of integrated firmware, and integrity check offirmwares for respective controllers, and in some embodiments, mayinclude softwares corresponding to respective processing modules and aprocessor for driving/calculating the software.

Each of the controllers 251, 252, and 253 may store the encryption keysand firmwares corresponding to the respective controllers and decryptthe encrypted firmware by using the encryption key or may autonomouslycheck firmware integrity through a predetermined algorithm (e.g., Hmac,sha, etc.). In this case, to check firmware integrity, random numberstransmitted from the firmware integrated management apparatus 210 may beused and the check result may be re-transmitted to the firmwareintegrated management apparatus 210, which will be described in moredetail with reference to FIG. 7.

Hereinafter, the form in which integrated firmware is transmitted willbe described with reference to FIG. 5.

FIG. 5 is a diagram illustrating an example of format of a firmwareupdate message according to an embodiment of the present disclosure.

As shown in FIG. 5, the integrated firmware may be transmitted to avehicle from a diagnostor in the form of firmware update message. Thefirmware update message may include a header, a plurality of firmwaredata (Firmware 1, Firmware 2, Firmware 3, Firmware X, etc.) andsignature information (Signature).

Here, the header may perform a header function of a message, and here,include at least one of a header version including version informationof the header, integrated firmware identification information foridentifying integrated firmware from other integrated firmware, firmwarenumber information included in a corresponding message, controlleridentification (ID) information corresponding to each firmware, messagelength information, and version information of separate firmware.

The signature information may be authentication information indicating asignature value of each firmware including a header and represented inthe form of, for example, “signature=do_sign(Header, firm1, firm2,firm3, . . . , firm x);”.

Due to use of the aforementioned form of update message, securityintensity, an authentication element, an authentication method, and soon for each integrated firmware may be ranged and managed. Whenfirmwares are integrated, the number of firmwares to be originalequipment manufacturer (OEM)-managed by a security manager and a vehiclemanufacturer may be reduced depending on a controller softwaremanufacturer, thereby improving management efficiency. In addition, iffirmwares are integrated depending on a controller operating function,controllers involved in a corresponding function may be simultaneouslyupdated when a plurality of controllers are updated depending on anadded or changed vehicle function, and it may be easy to manage aversion when the controllers are integrated and managed depending on adata/time.

Hereinafter, a firmware update procedure will be described in moredetail with reference to FIG. 6.

FIG. 6 is a flowchart illustrating an example of integrated firmware anda firmware update procedure through a firmware integrated managementapparatus according to an embodiment of the present disclosure. In FIG.6, integrated firmware is assumed to include two firmwares thatcorrespond to controller 1 and controller 2, respectively.

Referring to FIG. 6, the update procedure may largely include a vehicleaccess security authentication operation S610 performed between adiagnostor and a vehicle gateway, a firmware authentication operationS620 in which a firmware integrated management apparatus receivesintegrated firmware and performs update pre-processing, and a firmwarereprogramming operation S630 in which actual reprogramming is performed.Hereinafter, each operation will be described in detail.

First, the vehicle access security authentication operation S610 will bedescribed now.

The diagnostor may be connected to the vehicle and then may transmit anauthentication request to a central gateway (CGW) (S611). Accordingly,the CGW may authenticate the diagnostor (S613), and upon successfullyauthenticating the diagnostor, the CGW may return authenticationinformation indicating that authentication is completed, to thediagnostor (S615).

In the firmware authentication operation S620, the diagnostor that issuccessfully authenticated by the CGW may access the firmware integratedmanagement apparatus and transmit integrated firmware to the firmwareintegrated management apparatus (S621). The firmware integratedmanagement apparatus may authenticate integrated firmware by usingsignature included in the integrated firmware, and upon successfullyauthenticating the integrated firmware, the firmware integratedmanagement apparatus may generate an encryption key of diagnostorscorresponding to the respective firmwares included in the integratedfirmware and encrypt and store the separate firmware by using thegenerated encryption key (S623). Upon successfully authenticating theintegrated firmware, the firmware integrated management apparatus mayreturn the authentication result corresponding thereto to the diagnostor(S625).

In the firmware reprogramming operation S630, first, the firmwareintegrated management apparatus may transmit the firmwares andencryption keys corresponding to respective controllers, to thecontrollers (S631A and S631B). Each controller that receives firmwareand an encryption key may update the firmware and store the encryptionkey by using the received firmware (S633A and S633B). Then, uponsuccessfully updating the firmware, each controller may return theupdate result to the firmware integrated management apparatus (S635A andS635B). Accordingly, the firmware integrated management apparatus maytransmit the reprogramming result of entire integrated firmware to thediagnostor (S637).

When reprogramming is completed through the procedure shown in FIG. 6,the firmware integrated management apparatus may also perform post-checkand restoration of reprogramming, which will be described below withreference to FIG. 7.

FIG. 7 is a flowchart showing an example of a procedure in which afirmware integrated management apparatus checks and restores firmwareinstalled in a separate controller according to an embodiment of thepresent disclosure.

Referring to FIG. 7, a management function performed by a firmwareintegrated management apparatus after firmware update may be largelydivided into a firmware integrity check function (S710) and areprogramming function (S720) for firmware restoration.

First, the integrity check function (S710) may be performed as follows.

First, the firmware integrated management apparatus may generate arandom number (S711) and transmit the random number to a targetcontroller (S712). The firmware integrated management apparatus mayperform MAC calculation by using the random number, the firmware, and anencryption key for a corresponding controller (S713A), and the targetcontroller may perform MAC calculation by using the received randomnumber, the encryption key received during firmware update, and thefirmware installed in the target controller (S713B). The targetcontroller may transmit a MAC value generated as the calculation resultto the firmware integrated management apparatus (S714) and the firmwareintegrated management apparatus may compare the received MAC value andthe MAC value generated by the apparatus to determine whether the twovalues are the same, determine that there is no problem in terms offirmware integrity of the target controller, and otherwise, proceed tothe firmware reprogramming (S720) for restoration (S715).

The aforementioned integrity check function may be performed with apredetermined period (a time or vehicle mileage base) or performed basedon an event (e.g., when a vehicle is turned on, etc.). The integritycheck may be triggered with different periods for respective controllersor depending on an event condition.

Hereinafter, the firmware reprogramming (S720) for restoration will bedescribed.

When there is a problem in terms of firmware integrity (i.e., when MACvalues are different), the firmware integrated management apparatus maydetermine firmware corresponding to a controller with a problem in termsof integrity among encrypted firmwares and encryption keys which arebacked up to the apparatus (S721) and transmit the encrypted firmware toa corresponding controller (S723). The controller may decrypt theencrypted firmware data by using a pre-stored encryption key and thenperform reprogramming to restore firmware (S725). Upon completingfirmware restoration, a corresponding controller may transmitreprogramming result information to the firmware integrated managementapparatus (S727). The firmware integrated management apparatus mayre-perform the aforementioned firmware integrity check operation (S710)to re-check the reprogramming result (S729).

Although FIG. 7 shows the firmware integrity check and restorationoperations for one controller, the firmware integrated managementapparatus may perform the firmware integrity check and restorationoperations on at least one a partial or entire portion of a separatecontroller irrespective of the number of controllers that manage thefirmware and the encryption key.

The aforementioned present disclosure can also be embodied as computerreadable code stored on a computer readable recording medium. Thecomputer readable recording medium is any data storage device that canstore data which can thereafter be read by a computer. Examples of thecomputer readable recording medium include a hard disk drive (HDD), asolid state drive (SSD), a silicon disc drive (SDD), read-only memory(ROM), random-access memory (RAM), CD-ROM, magnetic tapes, floppy disks,optical data storage devices, etc.

A plurality of controller may be efficiently performed through thefirmware integrated management apparatus related to at least oneembodiment of the present disclosure configured as described above.

In particular, a plurality of firmwares may be authenticated and managedby the firmware integrated management apparatus by using oneauthentication information item, and thus, repeated authentication on acontroller-by-controller basis may not be required and a size ofauthentication information may be reduced.

It will be appreciated by persons skilled in the art that that theeffects that could be achieved with the present disclosure are notlimited to what has been particularly described hereinabove and otheradvantages of the present disclosure will be more clearly understoodfrom the above detailed description taken in conjunction with theaccompanying drawings.

It will be apparent to those skilled in the art that variousmodifications and variations can be made in the present disclosurewithout departing from the spirit or scope of the inventions. Thus, itis intended that the present disclosure covers the modifications andvariations of this invention provided they come within the scope of theappended claims and their equivalents.

What is claimed is:
 1. A reprogramming method of a vehicle, the methodcomprising: authenticating, by a gateway, a diagnostor; receiving, by afirmware integrated management apparatus, integrated firmware comprisinga plurality of firmwares that correspond to a plurality of targetcontrollers, respectively, from the diagnostor that is completelyauthenticated; authenticating, by the firmware integrated managementapparatus, the integrated firmware; encrypting and storing, by thefirmware integrated management apparatus, the plurality of firmwaresincluded in the integrated firmware; generating, by the firmwareintegrated management apparatus, encryption keys that corresponds theplurality of target controllers, respectively; storing the encryptionkeys in a region of memory physically or logically separated from aregion of memory in which the plurality of firmwares included in theintegrated firmware are stored; and transmitting, by the firmwareintegrated management apparatus, corresponding encrypted firmware amongthe plurality of encrypted firmwares along with a correspondingencryption key generated by the firmware integrated management apparatusto each of the plurality of target controllers, wherein the encryptingand storing comprises encrypting and storing the plurality of firmwaresto the encryption keys that correspond to the plurality of firmwares,respectively.
 2. The method according to claim 1, wherein the integratedfirmware comprises one authentication information item about all theplurality of firmwares.
 3. The method according to claim 2, wherein theintegrated firmware is transmitted through the diagnostor in the form ofupdate message; and wherein the update message comprises a header. 4.The method according to claim 3, wherein the header comprises at leastone of a header version, integrated firmware identification information,firmware number information indicating the number of the plurality offirmwares, corresponding controller identification information for eachfirmware, message length information, and separate firmware versioninformation.
 5. The method according to claim 1, wherein the encryptionkeys for the controllers that correspond to the plurality of firmwares,respectively, are stored in a security module of the firmware integratedmanagement apparatus.
 6. The method according to claim 1, furthercomprising, when each of the plurality of target controllers encryptsthe firmware transmitted to each of the plurality of target controllers,decrypting the encrypted firmware by using the encryption keytransmitted to each of the plurality of target controllers and thenperforming reprogramming.
 7. The method according to claim 1, furthercomprising periodically checking, by the firmware integrated managementapparatus, firmware integrity of each of the plurality of targetcontrollers.
 8. The method according to claim 7, further comprisingre-transmitting, by the firmware integrated management apparatus,firmware corresponding to a controller with a problem in terms of checkof the firmware integrity among the plurality of encrypted firmwares, tothe controller with the problem among the plurality of targetcontrollers.
 9. A non-transitory computer readable recording mediumhaving recorded thereon a program for executing a method comprising:authenticating, by a gateway, a diagnostor; receiving, by a firmwareintegrated management apparatus, integrated firmware comprising aplurality of firmwares that correspond to a plurality of targetcontrollers, respectively, from the diagnostor that is completelyauthenticated; authenticating, by the firmware integrated managementapparatus, the integrated firmware; encrypting and storing, by thefirmware integrated management apparatus, the plurality of firmwaresincluded in the integrated firmware; generating, by the firmwareintegrated management apparatus, encryption keys that corresponds theplurality of target controllers, respectively; storing the encryptionkeys in a region of memory physically or logically separated from aregion of memory in which the plurality of firmwares included in theintegrated firmware are stored; and transmitting, by the firmwareintegrated management apparatus, corresponding encrypted firmware amongthe plurality of encrypted firmwares along with a correspondingencryption key generated by the firmware integrated management apparatusto each of the plurality of target controllers, wherein the encryptingand storing comprises encrypting and storing the plurality of firmwaresto the encryption keys that correspond to the plurality of firmwares,respectively.
 10. A vehicle comprising: a plurality of controllers; agateway configured to authenticate a diagnostor; and a firmwareintegrated management apparatus configured to, upon receiving integratedfirmware comprising a plurality of firmwares that correspond to aplurality of target controllers, respectively, among the plurality ofcontrollers, from the diagnostor that is completely authenticated,authenticate the integrated firmware, and encrypt and store theplurality of firmwares included in the integrated firmware, wherein thefirmware integrated management apparatus generates encryption keys thatcorresponds the plurality of target controllers, respectively, andencrypts and stores the plurality of firmwares to the encryption keysthat correspond to the plurality of firmwares, respectively, wherein thefirmware integrated management apparatus stores the encryption keys in aregion of memory physically or logically separated from a region ofmemory in which the plurality of firmwares included in the integratedfirmware are stored, and wherein the firmware integrated managementapparatus transmits corresponding encrypted firmware among the pluralityof encrypted firmwares along with a corresponding encryption keygenerated by the firmware integrated management apparatus to each of theplurality of target controllers.
 11. The vehicle according to claim 10,wherein the integrated firmware comprises one authentication informationitem about all the plurality of firmwares.
 12. The vehicle according toclaim 11, wherein the integrated firmware is transmitted through thediagnostor in the form of update message; and wherein the update messagecomprises a header.
 13. The vehicle according to claim 12, wherein theheader comprises at least one of a header version, integrated firmwareidentification information, firmware number information indicating thenumber of the plurality of firmwares, corresponding controlleridentification information for each firmware, message lengthinformation, and separate firmware version information.
 14. The vehicleaccording to claim 10, wherein the encryption keys for the controllersthat correspond to the plurality of firmwares, respectively, are storedin a security module of the firmware integrated management apparatus.15. The vehicle according to claim 10, wherein each of the plurality oftarget controllers decrypts the encrypted firmware by using theencryption key transmitted to each of the plurality of targetcontrollers and then performing reprogramming when the firmwaretransmitted to each of the plurality of target controllers is encrypted.16. The vehicle according to claim 10, wherein the firmware integratedmanagement apparatus periodically checks firmware integrity of each ofthe plurality of target controllers.
 17. The vehicle according to claim16, wherein the firmware integrated management apparatus re-transmitsfirmware corresponding to a controller with a problem in terms of checkof the firmware integrity among the plurality of encrypted firmwares, tothe controller with the problem among the plurality of targetcontrollers.